Adobe Acrobat JavaScript Execution Bug SC#346

diff --git a/lib/filelib.php b/lib/filelib.php
index 9e780a17db5a02c0a95e41890a4836bbe98f8e20..85f54b08785021de167f72da2c341080db28b029 100644 (file)
--- a/lib/filelib.php
+++ b/lib/filelib.php
@@ -255,6 +255,12 @@ function send_file($path, $filename, $lifetime=86400 , $filter=0, $pathisstring=
     $lastmodified = $pathisstring ? time() : filemtime($path);
     $filesize     = $pathisstring ? strlen($path) : filesize($path);
 
+    if ($mimetype=='application/pdf') {
+        //Adobe Reader XSS prevention - please note that it prevents opening of pdfs in browser
+        $mimetype = 'application/x-forcedownload';
+        $forcedownload = true;
+    }
+    
     //IE compatibiltiy HACK!
     if (ini_get('zlib.output_compression')) {
         ini_set('zlib.output_compression', 'Off');

diff --git a/lib/weblib.php b/lib/weblib.php
index 036b127d248ebc5f795344d8ba4526bc449dea33..16281ace9da1215e5c2023dae9e0f89ca62eace7 100644 (file)
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -1721,6 +1721,11 @@ function cleanAttributes2($htmlArray){
             }
             $arreach['value'] = preg_replace("/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/i", "Xjavascript", $arreach['value']);
             $arreach['value'] = preg_replace("/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n/i", "Xexpression", $arreach['value']);
+        } else if ($arreach['name'] == 'href') {
+            if (stripos($arreach['value'], '.pdf')) {
+                //Adobe Reader XSS protection
+                $arreach['value'] = preg_replace('/(\.pdf)[^a-z0-9_\.\-].*$/i', '$1', $arreach['value']);
+            }
         }
         $attStr .=  ' '.$arreach['name'].'="'.$arreach['value'].'"';
     }